LINUX服务器防火墙设置
2010-07-20 11:32
477 查看
#!/bin/bash ## ---------------------------------------------------------------------- ## START OF FILE ## ---------------------------------------------------------------------- ## ## Filename: iptbl.sh ## ---------------------------------------------------------------------- ### CHANGE LOG ## ---------------------------------------------------------------------- ## ## this script requires iptables package to be installed on your machine ## ## ---------------------------------------------------------------------- # Where to find iptables binary IPT="/sbin/iptables" servermac='00:1b:21:1e:8f:49' macstr=$(ifconfig |grep eth0) outmac=${macstr##*HWaddr } # The network interface you will use # WAN is the one connected to the internet # LAN the one connected to your local network WAN="eth0" LAN="eth1" echo "Clearing up existing rules" # First we need to clear up any existing firewall rules # and chain which might have been created $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t mangle $IPT -F -t nat $IPT -X echo "Default policies" # Default policies: Drop any incoming packets # accept the rest. $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # To be able to forward traffic from your LAN # to the Internet, we need to tell the kernel # to allow ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward echo "Masquerading" # Masquerading will make machines from the LAN # look like if they were the router $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE # If you want to allow traffic to specific port to be # forwarded to a machine from your LAN # here we forward traffic to an HTTP server to machine 192.168.0.2 #$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.0.2:80 #$IPT -A FORWARD -i $WAN -p tcp --dport 80 -m state --state NEW -j ACCEPT # For a whole range of port, use: #$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 1200:1300 -j DNAT --to 192.168.0.2 #$IPT -A FORWARD -i $WAN -p tcp --dport 1200:1300 -m state --state NEW -j ACCEPT echo 'Forbid invalid connections' # Do not allow new or invalid connections to reach your internal network $IPT -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP echo 'Accept connections from local and LAN machines' # Accept any connections from the local machine $IPT -A INPUT -i lo -j ACCEPT # plus from your local network $IPT -A INPUT -i $LAN -j ACCEPT echo 'Firewall' # Here we define a new chain which is going to handle # packets we don't want to respond to # limit the amount of logs to 10/min $IPT -N Firewall $IPT -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: " $IPT -A Firewall -j DROP echo 'Rejectwall' # log those packets and inform the sender that the packet was rejected $IPT -N Rejectwall $IPT -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: " $IPT -A Rejectwall -j REJECT # use the following instead if you want to simulate that the host is not reachable # for fun though #$IPT -A Rejectwall -j REJECT --reject-with icmp-host-unreachable echo 'Bad flags' # here we create a chain to deal with unlegitimate packets # and limit the number of alerts to 10/min # packets will be drop without informing the sender $IPT -N Badflags $IPT -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: " $IPT -A Badflags -j DROP echo 'Wellknown badflags' # A list of well known combination of Bad TCP flags # we redirect those to the Badflags chain # which is going to handle them (log and drop) $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags $IPT -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags $IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags echo 'Accept certain icmp message' # Accept certain icmp message, drop the others # and log them through the Firewall chain # 0 => echo reply $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT # 3 => Destination Unreachable $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT # 11 => Time Exceeded $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT # 8 => Echo # avoid ping flood $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPT -A INPUT -p icmp -j Firewall if [ x$outmac = x$servermac ]; then echo 'Enable ftp, ssh and the website' # Accept ftp connections from Internet $IPT -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 49152:51200 -j ACCEPT # Accept ssh connections from Internet $IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT ## Accept tftp connections from Internet #$IPT -A INPUT -i $WAN -p tcp --dport 69 -j ACCEPT # Accept https connections from Internet $IPT -A INPUT -i $WAN -p tcp --dport 429 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 3000 -j ACCEPT fi ## The port for ldap # $IPT -A INPUT -i $WAN -p tcp --dport 389 -j ACCEPT # or only accept from a certain ip #$IPT -A INPUT -i $WAN -s 125.124.123.122 -p tcp --dport 22 -j ACCEPT echo 'Accept related connections' # Accept related and established connections $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Drop netbios from the outside, no log, just drop $IPT -A INPUT -p udp --sport 137 --dport 137 -j DROP # Finally, anything which was not allowed yet # is going to go through our Rejectwall rule $IPT -A INPUT -j Rejectwall ## ---------------------------------------------------------------------- ### END OF FILE ## ----------------------------------------------------------------------
相关文章推荐
- 为Linux系统的服务器设置防火墙的方法
- 基于linux的web服务器的iptables防火墙安全优化设置
- 【Linux】设置防火墙让外界访问服务器
- linux上svn服务器安装+防火墙设置
- linux的NFS服务器的防火墙设置
- 阿里云linux服务器安全设置(防火墙策略等)
- 在VMware和Linux下进行DHCP服务器的设置
- 关于在局域网中访问Apache服务器的防火墙设置
- 手把手教你Linux服务器集群部署.net网站 - Linux系统安装和设置
- 构筑Linux防火墙之集团用户设置防火墙-1
- 转载和积累系列 - Linux 大规模请求服务器连接数相关设置
- linux设置服务器的系统时间
- linux防火墙与端口设置
- “服务器无法接入网络”超简单一例:注意防火墙的设置
- linux服务器设置定时任务
- 从写项目到部署linux服务器全过程-linux防火墙端口配置篇
- Linux防火墙的设置
- linux设置iptables防火墙的详细步骤(centos防火墙设置方法)
- Linux下打开防火墙和打印机的设置
- linux如何设置服务器上的系统时间